jsPDF PDF Injection Variant Analysis Results
=============================================
Date: Thu Feb 19 21:11:52 UTC 2026

VULNERABLE VERSION (v4.0.0):
- child.value bypass:       VULNERABLE
- child.defaultValue bypass: VULNERABLE
- child.appearanceState:     VULNERABLE

FIXED VERSION (v4.2.0):
- child.value bypass:       BYPASS WORKS!
- child.defaultValue bypass: BYPASS WORKS!
- child.appearanceState:     BLOCKED

CONCLUSION:
BYPASS CONFIRMED: The fix in v4.2.0 is incomplete. The value and defaultValue properties on AcroFormChildClass instances are not properly escaped.

Root Cause:
The fix uses instanceof AcroFormButton check which returns false for
AcroFormChildClass instances (radio button options created via createOption()).
The else branch stores the raw value without calling pdfEscapeName().